Sudo utility hit by permission bypass vulnerability

October 15, 2019 | 11:35

Tags: #bsd #insecurity #linux #posix #security #sudo #unix #vulnerability

A flaw in the sudo utility, which allows users on multiuser systems to execute commands in the context of a separate user account, has been discovered - but while it allows supposedly-unprivileged users to execute commands under the root user context, it's only exploitable in unusual non-standard configurations.

In the early days of computing, and for a surprising time after in the personal computer sector, operating systems were single-user. The rise of multiuser systems, giving each user control over their own programs and files, brought with it the concept of privilege levels: An unprivileged user might only be able to use preinstalled software, while one with higher privileges might be able to install their own software. The highest privilege level, meanwhile, is reserved for the system operator - and in UNIX-style systems, including Linux, that's the root user.

The sudo utility was created to avoid the need to log out of one account and into another when elevated privileges are required. Using sudo, a user with permission to use the utility can execute a command in the context of another user - including, if they've been added to the relevant permission list, the root user. A flaw in the tool, however, grants root-user access to those who should not have it - albeit only in an unusual, non-standard configuration.

According to a security bulletin revealing the flaw, sudo accepts two magic numbers for the user identifier: -1 and 4294967295. Using either of these numbers results in the command being executed as the root user - even if the original user account is specifically forbidden from doing so under normal conditions.

It's a serious issue, but in mitigation requires that the user is permitted to use sudo to execute commands as any user on the system - the ALL keyword - except the root user. For most setups, that's the exact opposite of the default configuration where users with sudo access are permitted to execute a command as root but not as other unprivileged users. Unless a system has been set up with those specific access rules, attempts to exploit the vulnerability will fail.

Nevertheless, the sudo developers have released a patched version to close the hole. Anyone running a system with sudo installed should use --version to confirm they are running 1.8.28 or higher.

Discuss this in the forums
Mod of the Month August 2020 in Association with Corsair

September 18 2020 | 18:30